FHIR Chat · FIDO · smart

Stream: smart

Topic: FIDO

view this post on Zulip John Moehrke (Jun 08 2020 at 16:00):

How does the FIDO standard fit into SMART-on-FHIR? I always envisioned this as a plugable authentication mechanism inside the OpenID-Connect service. Thus SMART-on-FHIR would be agnostic to if FIDO was used or any other authentication mechanism. right?

view this post on Zulip Josh Mandel (Jun 08 2020 at 16:23):

Correct! FIDO would be used as a way to authenticate to the SMART authz server (which the SMART spec doesn't constrain).

view this post on Zulip Ryan Howells (Sep 15 2020 at 01:21):

Awesome @Josh Mandel. How could we link an identity proofed credential with a FIDO2/WebAuthn (https://www.w3.org/TR/webauthn/) / SMART authentication event? Could the UDAP profiles be helpful?

To make identity federation work at scale, many entities are first voluntarily strengthening their authentication approach using FIDO2/WebAuthn. The next step is to determine how to connect their ID proofed credential to FIDO/SMART. FIDO has created some draft protocols for how to do this below. Curious to get yours and @Luis Maas thoughts on the role SMART or UDAP should play. The three of us should also discuss FIDO's Fall conference CARIN will be participating in (https://authenticatecon.com/).
• How FIDO integrates with federation protocols: https://www.slideshare.net/FIDOAlliance/integrating-fido-authentication-federation-protocols
• How FIDO could be used with Open ID https://openid.net/2019/04/22/public-review-period-for-two-proposed-eap-implementers-drafts/

view this post on Zulip Josh Mandel (Sep 15 2020 at 01:36):

  • UDAP is unrelated to user authentication

  • SMART is agnostic about how users authenticate to the SMART authorization server (it just allows a downstream app to leverage that authentication event -- however performed -- for single sign-on via OpenID Connect)

This separation of concerns is a benefit; it allows technologies to be layered and combined to accomplish the things they're best at.

I think @Ryan Howells you're using the word "credential" to mean some verified identity attributes that are bound to an authentication method. Like, any SMART EHR that happens to support logging in with WebAuthn would probably be an example of what you're asking about. (But as usual, the challenges are establishing rules for how attributes are verified, deploying identity proofing in a pro-privacy + scalable fashion and building a network of participants willing to trust these attributes.)

view this post on Zulip Josh Mandel (Sep 15 2020 at 02:04):

In Ryan's link to openId.net above, there's a proposal for use of "token binding" with OIDC. This is a pretty highly technical proposal to digest, but to ground the discussion in current reality, I'll note that https://groups.google.com/a/chromium.org/g/blink-dev/c/OkdLUyYmY1E/discussion?pli=1 captures the decision from 2018 to remove token binding from the Chromium browser. So it's basically not available in any current browsers, and I'd suggest we not get stuck on / distracted with this thread of discussion.

view this post on Zulip John Moehrke (Sep 15 2020 at 15:52):

+1

view this post on Zulip Ryan Howells (Sep 18 2020 at 15:40):

That's right, Josh. We're working on some policy components to help with establishing the rules of the road. FIDO is also doing some work in the area of identity verification and binding but it's unclear if it's related to 'token binding'. https://fidoalliance.org/identity-verification-binding/ I'm trying to get access to some of their working documents but their virtual event is probably the best place to find out more (https://authenticatecon.com/).

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -